scieee Science in your language
[en] (orig)

Leaky Address Masking: Exploiting Unmasked Spectre Gadgets with Noncanonical Address Translation

Author: Mathe Hertogh; Sander Wiebing; Cristiano Giuffrida
Publisher: Zenodo
DOI: 10.1109/SP54263.2024.00158
Source: https://zenodo.org/records/11333085/files/313000a158.pdf
Leaky Add ess Masking: Exploi ing Unmasked Spec e Gadge s
wi h Noncanonical Add ess T ansla ion
Ma h´
e He ogh*, Sande Wiebing*and C is iano Giu ida*
*V ije Uni e si ei Ams e dam, The Ne he lands
{m.c.he ogh,s.j.wiebing,c.giu ida}@ u.nl
Abs ac —Linea Add ess Masking (LAM) is a ecen ly an-
nounced In el ea u e ha enables he CPU o mask o some
uppe bi s be o e de e e encing a 64-bi poin e . The key idea
behind LAM (as well as he simila Uppe Add ess Igno e o
UAI om AMD), is o allow so wa e o e icien ly make use
o un ansla ed bi s o 64-bi linea add esses o me ada a.
The assump ion is ha , wi h LAM (o UAI) ea u es enabled,
one can implemen as secu i y (e.g., memo y sa e y) checks
and ul ima ely imp o e secu i y o p oduc ion sys ems.
In his pape , we challenge his assump ion and show ha
LAM ea u es can ac ually deg ade secu i y in p oduc ion by
d ama ically inc easing he Spec e a ack su ace. To suppo
his claim, we p esen a new Spec e co e channel based on
noncanonical add ess ansla ion and add ess key challenges o
implemen i in p ac ice. Fo ins ance, we exploi p ope ies o
mode n TLBs o c a a eliable signal and LAM ea u es o
(c ucially) bypass canonicali y checks. Mo eo e , we show ha ,
unlike classic Spec e co e channels, ou s unlocks gene ic (o
unmasked) Spec e gadge s encoding high-en opy sec e s as
de e e enced poin e s. Unlike classic (o masked) gadge s, we
show he la e escape deployed mi iga ions and a e pe asi e
in high- alue a ge s such as he Linux ke nel. To showcase
he new a ack su ace, we p esen an end- o-end exploi o
Spec e based on LAM (SLAM) a ge ing upcoming In el
CPUs. We speci ically ocus on he BHI Spec e a ian and
show ha , despi e mi iga ions belie ed o e adica e he a ack
su ace, ou exploi can abuse a a ie y o gadge s in he la es
Linux ke nel and leak he oo passwo d hash wi hin minu es
om ke nel memo y. We conclude by e alua ing mi iga ions.
1. In oduc ion
Since he o iginal Spec e [1] and Mel down [2] dis-
closu e in 2018, ansien execu ion ulne abili ies ha e
been inc easingly gaining momen um. Fi e yea s, se e al
disclosed a ian s, and e en mo e deployed mi iga ions la e ,
a key ques ion s ill oubles esea che s and p ac i ione s:
“Wha is he esidual a ack su ace o las -gene a ion sys-
ems?”. Fo Mel down-like ulne abili ies (e.g., L1TF [3],
MDS [4], [5], [6], [7], [8], e c.) ully mi iga ed in ha dwa e,
he answe is ela i ely well-unde s ood (i.e., “none”, mod-
ulo he occasional mi iga ion laws [8]). Fo Spec e, on he
o he hand, he answe is a om i ial.
oid masked_gadge (long *sec e ) {
a ay[(*sec e & 0x )*4096];
}
oid unmasked_gadge (long **sec e ) {
**sec e ;
}
Figu e 1: Masked and unmasked Spec e disclosu e gadge s.
The a acke con ols sec e du ing specula i e execu ion.
Indeed, since Spec e ulne abili ies emain no ully
mi iga ed in ha dwa e, he esidual a ack su ace depends on
unin en ionally exploi able code snippe s (o disclosu e gad-
ge s) in he ic im so wa e. Typically, a acke s only need o
ind one gadge o disclose sec e da a. They can hen ely on
di ec /indi ec b anch misp edic ion o lu e he ic im in o
specula i ely execu ing he gadge , he la e accessing and
hen ansmi ing he sec e o e a mic oa chi ec u al co e
channel. Figu e 1 ( op) exempli ies a classic (“masked” [9])
gadge , wi h *sec e (e.g., ou -o -bounds) da a masked
down o 8 bi s, encoded as an index o a small linea
a ay, ansmi ed when accessing he co esponding a ay
elemen ’s CPU cache line, and ul ima ely ecei ed by he
a acke ia a cache a ack such as Flush+Reload [10].
Wi h deployed mi iga ions educing exploi able b anch
a ge s (e.g., by encing di ec b anches [1] o agging/ lush-
ing indi ec b anches [11]) as well as gua ding sensi-
i e a ay accesses o hinde masked gadge s (e.g., a -
ay index nospec [12]), inding classic Spec e gadge s o
a ia ions [11], [13], [14], [15] one can exploi in p ac ice
is a all o de . This is he case e en o he la ge codebases
o high- alue ic ims such as he Linux ke nel. Indeed,
s a e-o - he-a ke nel gadge scanne s gene ally only epo
po en ially exploi able gadge s [9], [11], [15], [16] o ind
exploi able ones ha depend on o he mi iga ed Mel down-
like ulne abili ies such as MDS [16], [17]. Exis ing end- o-
end exploi s, on he o he hand, need o eso o so wa e
ulne abili ies [13], language ea u es such as (unp i ileged)
eBPF [11], [15], o ulne able olde -gene a ion mic oa chi-
ec u es [14]. As such, common wisdom sugges s ha he
esidual Spec e a ack su ace is hin in p ac ice.
In his pape , we challenge common wisdom and un-
co e a signi ican new a ack su ace o use - o-ke nel
Spec e a acks on upcoming In el/AMD CPUs1. Speci -
ically, we mo e away om classic Spec e gadge s and
s udy “unmasked” gadge s [9], demons a ing hei p ac ical
exploi a ion o he i s ime. Figu e 1 (bo om) exempli ies
an unmasked gadge , wi h 64-bi *sec e da a encoded as
a de e e enced poin e . As we will show, unmasked gadge s
o igina e om widesp ead poin e -chasing code pa e ns,
and, as such, a e abundan in mode n ke nels such as Linux.
None heless, exploi ing unmasked gadge s is challeng-
ing, o he poin ha hei p ac ical ele ance has been
o en dismissed in he pas [9]. Indeed, since hese gadge s
in e p e an a bi a y high-en opy sec e as a poin e and use
a simple de e e ence o ansmission, p ac ical exploi a ion
is ou o each o classic cache co e channels. Fi s , he
sec e poin e may happen o encode an in alid add ess, such
as a noncanonical o unmapped add ess, whose de e e ence
may be unable o ill a alid cache line and ansmi he
sec e . Second, e en i he sec e happens o encode a alid
add ess, he poin e de e e ence may ill a cache line any-
whe e wi hin (huge and noncon iguous) alid 64-bi i ual
add ess space, a exceeding he small linea a ay (and he
CPU cache size) equi ed by classic cache co e channels.
To add ess hese challenges and show unmasked gadge s
a e exploi able in p ac ice wi h ew cons ain s, we de ise
a new Spec e co e channel based on a numbe o key
insigh s. Fi s , we mo e away om classic cache co e
channels and op o an add ess ansla ion one. To his
end, we conside di e en ansla ion ec o s and show
ha , due o hei p ope ies, mode n TLBs a e he ideal
choice, simul aneously yielding he bes e iciency and he
la ges a ack su ace. Unlike p io TLB co e channels [6],
[18], [19], ou s abandons he classic linea a ay design and
adop s an e icien E ic +Reload cons uc ion [20] o he
ansmission, ma ching he eliabili y o classic cache co e
channels. Second, we ex end ou co e channel o suppo
noncanonical add ess ansla ion. As we will show, his is
possible by abusing Linea Add ess Masking (LAM, o UAI
in AMD pa lance) ea u es [21] in upcoming In el/AMD
CPUs, which mask o c ucial uppe poin e bi s no mally
subjec o canonicali y checks. We u he show ou co e
channel can also a ge olde -gene a ion AMD CPUs ha
ea u e lazy canonicali y checks. Finally, we de ise a com-
bina ion o sliding and jus -in- ime emapping echniques o
educe he en opy o ou co e channel, enabling by e-by-
by e disclosu e and ul ima ely p ac ical exploi a ion.
To e alua e he new a ack su ace, we use ou co e
channel o moun a p ac ical use - o-ke nel exploi o Spec-
e based on LAM (SLAM) agains Linux. Fo ou analysis,
we speci ically ocus on he BHI Spec e a ian [11],
gi en ha (i) assessing he esidual BHI a ack su ace pos
unp i ileged eBPF is an open and p essing ques ion, ha ing
ecen ly pe suaded In el o conduc he i s la ge-scale, in-
dep h gadge analysis campaign om a endo [9]; (ii) de-
spi e a dedica ed gadge scanne and he ex ensi e manual
e o , said analysis ound no a ack su ace o conce n—
a e ocusing on classic masked Spec e gadge s. In con-
1See Sec ion 14 o impac also on u u e ARM CPUs.
as , as we will show, e en he simple gadge scanne we
de elop e eals hund eds o p ac ically exploi able gadge s
(ou o 16,046 po en ial ones) o implemen BHI exploi s
based on ou TLB co e channel. As a conc e e demons a-
ion, we exploi 7 such gadge s in end- o-end SLAM exploi
ins ances able o leak a bi a y ASCII cha ac e s om Linux
ke nel memo y on upcoming In el/AMD CPUs. Ou exploi s
can leak he oo passwo d hash on he la es Ubun u wi hin
minu es. We conclude by e alua ing mi iga ions.
In summa y, ou con ibu ions a e:
•The i s secu i y analysis o In el LAM / AMD UAI,
wi h conc e e e idence upcoming LAM ea u es can
deg ade ( a he han imp o e) secu i y.
•An analysis o ansla ion-based co e channels, e-
sul ing in he i s TLB E ic +Reload p imi i e able
o disclose in o ma ion om a p i ileged ic im.
•The i s (noncanonical add ess ansla ion) co e
channel enabling p ac ical exploi a ion o unmasked
Spec e gadge s.
•The i s in-dep h unmasked Spec e (BHI) gadge
analysis o Linux and he esul ing p ac ical end- o-
end SLAM exploi o leak he oo passwo d hash.
•In es iga ion and e alua ion o mi iga ion op ions.
A ailabili y. Code and addi ional in o ma ion abou
SLAM is a ailable a h ps:// usec.ne /p ojec s/slam.
2. Backg ound
2.1. Add ess T ansla ion
Memo y managemen in mode n CPUs uses a pag-
ing o ganiza ion. Loads and s o es ope a e on i ual ad-
d esses, which a e ansla ed by he Memo y Managemen
Uni (MMU) in o physical add esses (no mally e e enc-
ing DRAM). So wa e has con ol o e such i ual- o-
physical add ess ansla ion ia mul i-le el page ables, i.e.,
a memo y- esiden adix ee mapping i ual o physical
add esses, a he page (e.g., 4 KB) g anula i y. Upon e e y
( i ual) memo y e e ence, he MMU pe o ms a page able
walk, i.e., a adix- ee lookup o ind he co esponding
physical add ess, a e which he ac ual da a can be e ched.
Walking he page ables equi es ex a memo y accesses,
since a page able en y (PTE) mus be e ched a each page
able le el. PTE e ches use he same memo y subsys em
and hence he same CPU caches as no mal da a accesses.
As an addi ional op imiza ion, bo h ull and pa ial add ess
ansla ions a e cached in dedica ed MMU caches, known
as T ansla ion Lookaside Bu e s (TLBs) and T ansla ion
Caches ( espec i ely). Page ables also suppo pe mission
bi s in each PTE, wi h so wa e able o ma k pages as
use /supe iso , ead/w i e/execu e, e c. Mode n ope a ing
sys ems deploy SMAP [22], a ha dwa e ea u e p e en ing
he ke nel om accessing use memo y.
2.2. Linea Add ess Masking
Mode n x86 64 pla o ms suppo 48-bi o 57-bi i -
ual add esses wi h 4-le el o 5-le el page ables ( espec-
Rese Mic oa chi ec u al S a e
Mis ain B anch P edic o
T igge Vic im
Misp edic B anch
Execu e Disclosu e Gadge
Decode Mic oa chi ec u al S a e
1
2
3
4
5
6
Figu e 2: O e iew o Spec e a acks, wi h a chi ec u al
execu ion o he a acke ( ed) and a chi ec u al / ansien
execu ion o he ic im (g een / blue).
i ely). Since poin e s encode 64-bi i ual add esses, he
uppe (16 o 7, espec i ely) bi s a e i ele an o add ess
ansla ion and ins ead equi ed o be copies o he op
ansla ed bi (47 o 56, espec i ely)—con en ionally se o
ke nel add esses. Add esses complying o his equi emen
a e said o be in “canonical o m”. Accessing a noncanonical
add ess no mally esul s in an excep ion, an incon enience
o memo y sani ize s [23] and mi iga ions [24], [25], [26]
which ag unused uppe poin e bi s o s o e me ada a.
To add ess his p oblem, upcoming In el/AMD CPUs
implemen suppo o mask some uppe poin e bi s be o e
ansla ion, loosening classic canonicali y checks o accom-
moda e so wa e-managed agged poin e s. Such ea u es a e
b anded as Linea Add ess Masking (LAM) on In el [21]
and Uppe Add ess Igno e (UAI) on AMD [27]. We elabo-
a e on LAM/UAI de ails as well as hei abili y o unlock
SLAM exploi a ion in Sec ion 6.
2.3. Spec e A acks
Spec e a acks [1] abuse mode n p ocesso s’ inabili y
o oll back mic oa chi ec u al s a e modi ied by specula i e
execu ion. This allows an a acke o lu e he CPU in o
specula i ely execu ing code ha should ne e un a chi-
ec u ally, inducing specula i e accesses o sec e da a, and
encoding he sec e in o mic oa chi ec u al s a e which he
a acke can la e decode ( he co e channel). The mos
common co e channel is Flush+Reload [10], which ex-
ploi s CPU cache lines in a eload bu e sha ed be ween
he a acke and he ic im.
Figu e 2 shows an o e iew o Spec e a acks. A acke s
1
 ese he mic oa chi ec u e o some known s a e (e.g.,
lush hei eload bu e om he cache), 2
p epa e hei
specula i e con ol- low hijack by mis aining a b anch p e-
dic o , and 3
 igge ic im execu ion wi h some malicious
inpu (e.g., syscall). Du ing he execu ion o he ic im,
he CPU misp edic s he mis ained b anch 4
and specula-
i ely execu es a Spec e disclosu e gadge , using a acke -
con olled da a. T adi ionally, a acke s a ge a “masked”
gadge [9], encoding he sec e as an index in o an accessed
a ay (Figu e 1)—i.e., he eload bu e . In gene al, he
(disclosu e) gadge 5
encodes he sec e in o some mic oa -
chi ec u al s a e, which a acke s la e 6
decode o leak he
sec e (e.g., by iming accesses o he di e en cache lines
o he eload bu e o ind he accessed a ay index).
Spec e a acks can hijack di e en ypes o b anches.
Fo example, Spec e- 1 hijacks condi ional di ec b anches,
while Spec e- 2 hijacks indi ec b anches. A ecen ype o
Spec e- 2 a ack is B anch His o y Injec ion (BHI) [11].
BHI specula i ely hijacks an indi ec ic im b anch, by
poisoning he B anch His o y Bu e (BHB) wi h a colliding
b anch his o y. This lu es he b anch p edic o in o inco -
ec ly p edic ing he ic im b anch and ans e ing con ol
low o he des ina ion o ano he (colliding) a ge b anch.
3. Th ea Model
We conside a ypical Spec e local exploi a ion scena io,
wi h an a acke con olling an unp i ileged use p ocess
on a ic im machine and a ge ing a use - o-ke nel Spec e
a ack o leak sec e s om ke nel memo y. We speci ically
a ge he (sec e ) oo passwo d hash, as done in p io
wo k [4], [11], [13], [14]. We assume a ic im machine
equipped wi h LAM ea u es and unning he la es Linux
ke nel wi h all he de enses agains ansien execu ion ul-
ne abili ies enabled. We also assume o he (e.g., memo y
sa e y) ulne abili ies a e mi iga ed by o hogonal de enses.
4. SLAM
A a high-le el, SLAM exploi s ollow he same wo k-
low o classic Spec e exploi s (Figu e 2). The key di -
e ence is ha SLAM exploi s unmasked Spec e gadge s,
which encode he sec e as a de e e enced poin e (i.e.,
sec e poin e ). As de ailed la e , such gadge s a e abundan
as hey o en o igina e om common poin e -chasing code
pa e ns. A ypical eal-wo ld example is he Linux ke nel
gadge lis ed in Figu e 3. As shown in he igu e, simila o
classic masked gadge s, a specula i e load ( ia he a acke -
con olled iocb a gumen ) eads sec e da a on Line 4.
Howe e , unlike classic masked gadge s, he sec e is hen
in e p e ed as a poin e ( ) and di ec ly de e e enced on
Line 5, a poo ma ch o classic cache co e channels.
To unde s and he complica ions, le us conside a base-
line exploi a ion scena io. Suppose a use - o-ke nel a acke
wan s o c a a 1-bi in o ma ion disclosu e p imi i e o
leak whe he he sec e da a ma ches a p ede e mined, alid
ke nel poin e (Figu e 4, op). Fo his scena io, a classic
cache co e channel is su icien . Indeed, he a acke can
ensu e he cache line backing he a ge ke nel poin e
is nonp esen (e.g., by walking a co esponding e ic ion
se [28]), igge specula i e execu ion o he gadge , and
hen p obe he cache o check i he a ge cache line is
1ssize_ ke n s_ op_ ead_i e (
2s uc kiocb *iocb,
3s uc io _i e *i e ) {
4s uc ile * =iocb->ki_ ilp;
5s uc seq_ ile *s = ->p i a e_da a;
Figu e 3: A ypical SLAM disclosu e gadge in he Linux
ke nel, wi h a call o ke n s_o inlined o eadabili y. An
a acke specula i ely con olling iocb can lu e he ke nel
in o eading (Line 4) and disclosing (Line 5) da a.
now p esen (e.g., a la P ime+P obe [29]). Howe e , while
his simple baseline p imi i e may be su icien o b eak
KASLR (i.e., wi h he a acke epea edly ying o guess
a a ge andomized ke nel poin e un il hey see a signal
in he cache), gene alizing his p imi i e o gene ic sec e s
such as he oo passwo d hash is a all o de .
Indeed, wi hou s ong assump ions on he sec e da a,
he sec e poin e may no e e ence alid ke nel memo y.
Figu e 4 (bo om) shows a unning example encoding o
he i s ew by es (“ oo :$y$”) o he sec e oo passwo d
hash in Linux’ /e c/shadow ile. As he igu e shows,
he sec e is encoded wi h a use ,noncanonical add ess. In
ac , we no e ha ASCII s ings (i.e., ou a ge ) a e always
encoded as use poin e s, as hei by es always ha e he
uppe mos bi unse , including he op ansla ed bi (yellow
in igu e). Mo eo e , ou o he whole 64-bi i ual add ess
space, less han 0.01% is canonical. Since bo h use and
noncanonical poin e de e e ences aise excep ions (i.e., due
o SMAP and canonicali y checks, espec i ely) and do no
no mally ill cache lines e en on specula i e pa hs, he sec e
leakage su ace o ou unmasked gadge is hin o classic
cache co e channels.
Fu he mo e, e en i he sec e happened o encode a
alid poin e , he high (no less han 47-bi ) en opy o he
sec e poin e would pose an addi ional p oblem. While
masked gadge s ypically leak 8 bi s o sec e da a a a ime,
con enien ly encoded in an index o a 256-elemen eload
bu e , unmasked gadge s canno easily i he small-linea -
a ay model. Indeed, he dis ibu ion o alid sec e poin e
alues is la ge and highly nonlinea , also well exceeding he
occupancy o mode n CPU caches.
Hence, s a ing om a baseline 1-bi alid ke nel poin e
disclosu e p imi i e, SLAM ackles h ee main challenges:
•C1 : How do we ex end ou disclosu e p imi i e o
use poin e s? As we shall see, SLAM add esses his
challenge wi h add ess ansla ion co e channels.
•C2 : How do we ex end ou disclosu e p imi i e
o noncanonical poin e s? As we shall see, SLAM
add esses his challenge by bypassing canonicali y
checks wi h LAM ea u es.
•C3 : How do we gene alize ou disclosu e p imi i e
o ac ually leak sec e s? As we shall see, SLAM
add esses his challenge by a combina ion o sliding
and jus -in- ime emapping echniques.
FF FF FF FF 99 79 71 E0
081624324048 5664
1
47
24 79 24 3A 74 6F 6F 72
08162432405664
0
$ y $ : o o
4748
Figu e 4: A alid ke nel poin e ( op) s. oo passwo d
hash by es encoded as a poin e (bo om) on 4-le el paging
sys ems. Bi s 63:48 ( ed) a e subjec o canonicali y checks.
Bi 47 (yellow) is se (unse ) o ke nel (use ) poin e s.
5. Leaked in T ansla ion
To add ess C1 , we need o expand he leakage su ace
o ou baseline 1-bi in o ma ion disclosu e p imi i e (i.e.,
leaking whe he he sec e is a p ede e mined, alid ke nel
poin e ) o use poin e s. To his end, we need a co e
channel capable o encoding he sec e in o mic oa chi ec-
u al s a e upon a use poin e de e e ence. This is in easible
o classic cache co e channels, since use poin e de e -
e ences a e in alid (and hus unable o comple e and ill
cache lines) in ke nel mode due o Supe iso Mode Access
P e en ion (SMAP) [22]. This is he case a chi ec u ally [22]
and (al hough specula i e SMAP beha io emains “o i-
cially” undocumen ed [30]) also mic oa chi ec u ally [31].
To add ess his challenge, he key insigh is ha we
need a co e channel based on mic oa chi ec u al s a e ha
ge s in ol ed be o e SMAP checks kick in. And since, o
SMAP checks o kick in, he MMU needs o i s de e mine
whe he he ke nel is de e e encing use memo y, we u n
ou a en ion o he add ess ansla ion p ocess. Indeed, he
MMU needs o comple e add ess ansla ion in o de o
loca e he app op ia e ansla ion en y (PTE) and check he
co esponding supe iso bi (unse o use memo y).
To con i m his beha io , we se up an expe imen wi h
he unmasked Spec e gadge in Figu e 3. We specula i ely
execu ed he gadge in he ke nel while ins uc ing i o
ead and de e e ence a sec e encoded as a ( alid and
p esen ) use add ess. As expec ed, on all o ou es ed
mic oa chi ec u es (de ailed la e ), we obse ed he backing
use cache line no o be illed by he gadge , con i ming he
in easibili y o he cache co e channel. A he same ime,
using exis ing mic oa chi ec u al a acks [32] we clea ly
obse ed a signal o ansla ion- ela ed ac i i y, con i ming
add ess ansla ion comple es be o e SMAP checks can ge
a chance o dismiss he use poin e de e e ence as in alid.
Building on hese esul s, ou nex s ep is o c a an
add ess ansla ion co e channel o sec e s encoded as
use poin e s. We obse e ha , o he han being able o
bypass SMAP checks, such co e channel has a numbe o
o he ad an ages compa ed o classic cache co e channels.
Fo example, add ess ansla ion is agnos ic o he pa icu-
la memo y access ype. This can inc ease he numbe o
a ailable gadge s compa ed o classic cache co e channels,
which ypically ely on egula load ins uc ions and may be
impai ed by s o e ins uc ions [18]. Finally, since add ess
ansla ion lea es pe sis en aces in he many mic oa -
00 00 24 74 6F 72
08162432405664
: o o
48
$
3A
:
15213033394248 24
le el 3
le el 2
le el 1
le el 4
6F
Figu e 5: A each page able le el, 6 bi s (pu ple) o he
i ual add ess can be e ie ed ia he co esponding PTE.
chi ec u al componen s in ol ed in he ansla ion p ocess,
he e a e mul iple op ions o c a ou co e channel. We
conside he main op ions in he nex subsec ions. Fo sim-
plici y, we de elop ou analysis along ou unning example
on 4-le el paging sys ems (Figu e 4), bu ou esul s di ec ly
ex end o 5-le el paging sys ems.
5.1. PTE P obing
Du ing add ess ansla ion, he MMU walks page ables
and e ches PTEs om memo y ia he same da a cache
hie a chy as egula memo y accesses [32]. Bi s 47:39 de e -
mine he PTE o he sec e poin e a he (4 h le el) oo page
able. As 8 PTEs, o 8 by es each, i in o one 64-by e cache
line, bi s 47:42 de e mine he PTE’s cache line. Hence, by
in e ing which o he 64 cache lines cons i u ing he oo
page able ge s e ched, ia a se -g anula cache a ack such
as P ime+P obe o E ic +Time [32], an a acke can e ie e
bi s 47:42 o he sec e poin e . This allows he a acke
o ell whe he a gi en sec e poin e was de e e enced
(baseline 1-bi disclosu e p imi i e) o e en disc imina e
be ween di e en sec e s. This idea gene alizes o he lowe -
le el page ables, p o ided ha he PTEs o p e ious le els
a e alid (i.e., p esen and wi h he co ec pe missions).
Figu e 5 shows which bi s can be e ie ed a each le el o
ou (canonicalized) unning example.
An ad an age o he PTE p obing co e channel is ha
one can e ie e (some) sec e bi s e en o nonp esen ad-
d esses as long as pa ial page able (e.g., op-le el) in o ma-
ion is p esen . A he same ime, a disad an age is ha page
able walks equi e a ela i ely la ge specula ion window, as
mul iple cache misses need o i in he window. In addi ion,
he eliance on cache se p obing esul s in a noisy co e
channel, especially du ing ke nel execu ion [13]. Finally, o
deep page able walks, i is challenging o ma ch up signals
in mul iple cache se s wi h he di e en PTE le els [32]. To
add ess hese sho comings, we u n o he TLB nex .
5.2. TLB P obing
To build a co e channel based on he TLB, we need o
i s con i m he TLB incu s mic oa chi ec u al s a e changes
upon a specula i e load incu ing an SMAP excep ion. On
x86, TLBs a e known no o pe o m nega i e caching, i.e.,
in alid en ies p oduced by a page able walk a e no cached
in he TLB. This beha io is documen ed o nonp esen en-
ies [33], bu no o o he e oneous en ies. To in es iga e
he beha io , we epea ed he same expe imen as abo e (i.e.,
le ing he ke nel specula i ely de e e ence a use add ess)
mul iple imes o bo h p esen /nonp esen use add esses
a e i s lushing he backing TLB en y. Wi h he help
o exis ing mic oa chi ec u al a acks [34], we con i med
he beha io o nonp esen add esses: a load e e encing
a nonp esen use add ess did no ill he TLB (i.e., no TLB
hi in epea ed expe imen s). Howe e , o he p esen use
add ess case we obse ed he opposi e beha io , wi h he
specula i e load illing he TLB despi e he SMAP aul (i.e.,
TLB miss on he i s epe i ion, TLB hi on he second one).
A med wi h his knowledge, one can build a TLB p ob-
ing co e channel o sec e use poin e s. Speci ically,
one can ely on a se -g anula TLB a ack such as TLB
P ime+P obe o E ic +Time [34] o e ie e he TLB se
accessed by he Spec e gadge and he co esponding bi s
o he sec e poin e . In con as o PTE p obing, his co e
channel equi es sho e windows—since we can con ol and
educe he wo k done on he TLB miss encoun e ed by he
gadge —and elimina es he need o p obe mul iple se s a
he ime. A he same ime, his co e he channel can
only ope a e on p esen use add esses and is e en mo e
noisy—since TLB se page-g anula collisions a e much
mo e common han cache se collisions. We la e de ail how
o handle he o me complica ion. We handle he la e nex .
5.3. TLB Reloading
To elimina e he need o TLB se p obing, he key
insigh is ha , since we explici ly a ge use add esses
accessed by he ke nel (due o ou ASCII s ing a ge ),
he accessed TLB en y is sha ed be ween he a acke
(use ) and he ic im (ke nel). As such, we can adap
he E ic +Reload cache a ack [20] o he TLB, di ec ly
e ie ing he TLB en y accessed by he Spec e gadge
and he co esponding bi s o he sec e poin e . This is
done by: (i) walking TLB e ic ion se s o e ic he TLB
en y backing ou a ge use add ess in use land [34], [35],
(ii) igge ing he specula i e execu ion o he gadge in he
ke nel, and (iii) eloading he a ge TLB en y. To eload
he TLB en y, he a acke needs o measu e he la ency o
he a ge use add ess ansla ion.
To his end, one op ion is o ely on he ansla ion-
dependen iming o he p e e ch ins uc ion(s) [36], [37], al-
hough we obse ed un eliable imings on ou AMD es bed.
A mo e gene al solu ion is o measu e he ime o comple e
a load e e encing he a ge use add ess. Howe e , since
such ime is bo h ansla ion- and da a e ch-dependen , ca e
should be aken o p ope ly isola e he ansla ion la ency.
Fo his pu pose, we need o con ol he sou ce o he da a
e ch and selec he one ha maximizes he signal.
Selec ing he cache le el. In ou expe imen s, we
de e mined L2 da a e ches o be consis en ly op imal. In-
deed, as shown in Figu e 6, he i ually indexed L1 cache
is looked up in pa allel o TLB, he eby masking he TLB
signal. Highe da a cache le els a e physically indexed,
se ializing TLB and cache access la encies and yielding a
be e signal. Howe e , he highe he selec ed cache le el
(o in he wo s case, DRAM), he highe he ji e caused

MMU F on end
L1 Cache
VA VA
PA ag
=?
da a
da a
L2 Cache
PA
da a
da a
TLB
L1 TLB
L2 TLB
Figu e 6: High-le el o e iew o TLB and da a caches.
by he mo e complex mic oa chi ec u al geome y (e.g., las -
le el cache slices). As such, we ound L2 o be a swee spo .
Selec ing he TLB le el. As depic ed in Figu e 6,
mode n MMUs commonly deploy wo-le el TLBs [35],
hence a acke s can ge hei signal ia ei he L2 o L1 TLB
misses. In he o me scena io, one can e ic bo h (L1 and
L2) a ge TLB en ies and calib a e he eload s ep’s imings
o dis inguish be ween a L1 TLB hi and a L2 TLB miss.
In he la e scena io, one can e ic only he a ge L1 LTB
en y while p ese ing L2 and ins ead ocus on a L1 TLB hi
e sus L1 TLB miss (L2 hi ) signal. Indeed, a e missing
L1 and hi ing L2, he Spec e gadge causes he MMU o
ill he L1 TLB en y, yielding he signal. Fo ou pu poses,
we ound he la e scena io o be p e e able o a a ie y o
easons. Fi s , he lack o L2 TLB misses elimina es page
able walk ji e (e.g., cached s. uncached PTEs), imp o ing
he signal. Second, as de ailed in Sec ion 11.2, he small L2
TLB hi la ency esul s in sho specula ion windows, which
can help bypass ce ain mi iga ions [38]. Finally, as de ailed
in Sec ion 6.2, (L2) TLB hi -based gadge s ex end he a ack
su ace o addi ional (exis ing) AMD mic oa chi ec u es.
Selec ing he page size. Mode n ope a ing sys ems
suppo 4 KB, 2 MB, and 1 GB pages. Mode n TLBs lay ou
hei en ies in sepa a e pa i ions acco dingly [39]. As such,
by selec ing a di e en page size o ou a ge use add ess
o eload, we can use a di e en pa o he TLB as ou
co e channel. Figu e 7 shows which bi s can be e ie ed
o ou (canonicalized) unning example o he di e en
page sizes (al hough 1 GB pages a e o en es ic ed in
p ac ice). The smalle he page size, he la ge he numbe
o sec e poin e bi s one can e ie e, al hough his is no
c ucial as we shall see in Sec ion 7. A mo e p essing conce n
is noise isola ion. One should selec a page size ha is
as in equen ly used as possible by he ke nel, in o de
o minimize in e e ence wi h he TLB pa i ion used by
he co e channel and hus maximize he signal. Since he
ke nel uses 2 MB pages o i s own ex and da a sec ions as
well as (mos ly) 1 GB pages o i s di ec map o physical
memo y, we selec 4 KB pages o ou co e channel.
00 00 24 74 6F 72
08162432405664
: o o
48
$3A:
21
00 00 24 74 6F 72
08162432405664
: o o
48
$3A:6F
12
00 00 24 74 6F 6F 72
08162432405664
: o o
48
$3A:
30
6F
2 MB pages
4 KB pages
1 GB pages
Figu e 7: Depending on he page size, a numbe o i ual
add ess bi s (pu ple) can be e ie ed ia he TLB.
5.4. Summa y
We conside ed a numbe o ansla ion co e channels
o SLAM. We ocused on he main op ions, bu a ia ions
a e possible. Fo ins ance, one could ely on o he mic oa -
chi ec u al componen s, such as page able caches [40] o
educe he noise on he PTE p obing signal, o ansla ion
caches [40] o ex end ou TLB co e channel o nonp e-
sen add esses. In p ac ice, he mic oa chi ec u al de ails o
mode n TLBs a e well unde s ood and we did no ind any
se ious limi a ions ha de e ed hei use o SLAM.
C1 Solu ion. SLAM uses a TLB E ic +Reload co e
channel, wi h 4 KB TLB en ies and a L1 s. L2 hi
signal. This p o ides a low-noise, low-la ency co e
channel o ex end he leakage su ace o ou baseline 1-
bi poin e disclosu e p imi i e o p esen use add esses.
6. Canonicalizing Sec e s
To add ess C2 , we need o expand he leakage su ace
o ou exis ing 1-bi use poin e disclosu e p imi i e o
noncanonical use poin e s. This is impo an , as so a
we ha e only deal wi h canonical use poin e s, while
sec e ASCII s ings—ba ing hose wi h NUL cha ac e s
in s a egic posi ions—always encode o noncanonical ones.
The la e canno be no mally p ocessed by ou TLB co e
channel, as ansla ion hinges on success ul canonicali y
checking. To his end, we conside di e en mechanisms
o “canonicalize” sec e s on In el and AMD pla o ms.
6.1. In el Pla o ms
On upcoming In el pla o ms (e.g., Sie a Fo es , G and
Ridge, A ow Lake, and Luna Lake [21]), we u n o LAM
o ou pu poses. Wi h LAM enabled, some uppe poin e
bi s a e “masked” upon poin e de e e ence. LAM has wo
modes: (i) LAM48, masking 15 uppe bi s (62:48) o 4-
le el paging sys ems; (ii) LAM57, masking 6 uppe bi s
(62:57) o 5-le el paging sys ems. In bo h cases, he uppe
24 79 24 3A 74 6F 6F 72
08162432405664
0
$ y $ : o o
4748
0
63
Figu e 8: In el LAM masks away bi s 62:48 (g ey), educing
he canonicali y check o he equali y o bi s 47 and 63 ( ed).
non ansla ed bi s excep he mos -signi ican bi a e masked,
i.e., copied om he op ansla ed bi ([62:48] := [47], o
4-le el paging), be o e add ess ansla ion occu s [21]. Since
he masked bi s a e made canonical by LAM, he o iginal
uppe poin e bi s a e no longe subjec o canonicali y
checks and can hus s o e a bi a y alues. Bi 63 is he
only special case, equi ed o ma ch he op ansla ed bi o
a oid a noncanonical add ess excep ion.
Bi 63 is also used as a “supe iso ” bi o LAM o
dis inguish ke nel om use poin e s. Indeed, LAM can be
enabled sepa a ely o use and/o supe iso poin e s ia
con ol egis e s. So wa e suppo me ged in ecen Linux
ke nel e sions [41] enables LAM only o use poin e s.
This allows use p ocesses o enable LAM o hei own
( agged) poin e s. Wi h LAM enabled, use poin e s de e -
e enced by ke nel code a e s ill masked, as LAM hono s he
ze o bi 63 bu igno es he p i ilege le el.
The la e p ope y allows a LAM-enabled use p ocess
o pass noncanonical use poin e s o he ke nel and he
ke nel o la e de e e ence hem as pa o in-ke nel syscall
handling. This is impo an o simpli y ke nel suppo o
LAM, as use poin e s can be de e e enced “as-is” by he
ke nel, elimina ing he need o he ke nel o explici ly mask
hem. Howe e , his p ope y is also c ucial o unlock SLAM
exploi a ion. Indeed, as shown in Figu e 8, LAM e ec i ely
disables he canonicali y check o all he uppe bi s bu
bi 63 o he sec e poin e de e e enced by he ke nel. In
o he wo ds, unde LAM, he canonicali y equi emen is
educed o bi 63 and he op ansla ed bi o a poin e
being equal. Howe e , since SLAM a ge s sec e ASCII
s ings, his in a ian always holds o ou sec e use poin -
e s. We conclude ha ou TLB co e channel can bypass
canonicali y checks wi h In el LAM.
6.2. AMD Pla o ms
UAI is AMD’s LAM a ian on upcoming AMD pla -
o ms. UAI is simple han LAM and somewha close
o ARM’s Top By e Igno e [42], wi h he MMU simply
igno ing he mos -signi ican 7 bi s o a i ual add ess
du ing ansla ion. Since only 7 bi s a e igno ed, on 4-le el
paging sys ems 9 bi s (56:48) a e s ill a ec ed by canonical-
i y checks. This e ec i ely hinde s SLAM exploi a ion—a
leas o gene ic ASCII s ings. Howe e , on 5-le el paging
sys ems hose 9 bi s a e in ol ed in add ess ansla ion
(indexing he le el-5 page able), allowing ou TLB co e
channel o bypass canonicali y checks wi h AMD UAI.
We also conside ed SLAM exploi a ion on exis ing
AMD mic oa chi ec u es ulne able o T ansien Execu ion
o Noncanonical Accesses (TENA) [43], [44]. Indeed, as
shown in Figu e 9, such 4-le el paging mic oa chi ec u es
24 79 24 3A 74 6F 6F 72
08162432405664
0
$ y $ : o o
4748
Canonicali y
Check L1D CacheTLB
64:47
47:0 47:0
Figu e 9: The canonicali y check aces agains he TLB and
he da a cache: bi s 47:0 (g een and yellow) ge passed o he
TLB and he da a cache, and in pa allel bi s 63:47 (yellow
and ed) a e passed o he canonicali y checke .
pa allelize ansla ion (+ da a e ch) and canonicali y checks.
Speci ically, he CPU uses he lowe 48 bi s o he i ual
add ess o consul he TLB and L1 da a cache, as well as he
uppe 17 bi s o check canonicali y in pa allel. As a esul ,
he TLB and da a cache igno e he uppe 16 bi s o he
i ual add ess, hence a noncanonical add ess can ini ia e
a memo y access o i s canonical coun e pa (same lowe
48 bi s). Mo eo e , his c ea es a mic oa chi ec u al ace
be ween he canonicali y check and he memo y access: he
a ge da a may be ansien ly o wa ded o la e ins uc ions
in he pipeline, despi e he noncanonical a ge add ess.
P io wo k has exploi ed he la e p ope y o c a
Mel down- ype gadge s ha specula i ely load da a om a
noncanonical add ess and hen leak said da a ia a classic
cache co e channel [43]. Acco ding o he au ho s, hei
analysis did no e eal exploi able ins ances o such gadge s
in p ac ice. In con as , wi h SLAM, we wan o show ha
ansien noncanonical accesses do ha e p ac ical impac
when used o suppo he add ess ansla ion co e channel
o an unmasked Spec e gadge . Fo his o happen, we
need o ensu e he equi emen s a e sa is ied. Acco ding o
he AMD documen a ion, ansien noncanonical accesses
a e possible only when add ess ansla ion incu s a TLB
hi [43], bu no equi emen s on he pa icula TLB le el
a e speci ied. Ou p oposed TLB co e channel does incu a
TLB hi , bu only in L2 (and no in L1) TLB by cons uc ion.
To unco e whe he L2 TLB hi s a e su icien , we se
up an expe imen wi h he unmasked Spec e gadge in
Figu e 3. We specula i ely execu ed he gadge in he ke nel,
while ins uc ing i o ead and de e e ence a sec e encoded
as a noncanonical (p esen ) use add ess and pe o ming L1
TLB E ic +Reload o he backing TLB en y. F om he
a ec ed AMD pla o ms [43], we es ed on Ryzen 7 2700X,
a ailable in ou lab. Ou esul s e ealed a signal o he
a ge add ess, con i ming he gadge pe o ms he ansien
noncanonical access upon L2 TLB hi and einse s he
backing en y in o he L1 TLB. We conclude ha ou TLB
co e channel can success ully suppo noncanonical sec e
use poin e de e e ences on mic oa chi ec u es a ec ed by
TENA, e en in absence o ha dwa e masking ea u es.
24 79 24 3A 74 6F 72
08162432405664
$ y $ : o o
48
6F
Mask/Igno e Leak Known Page O se
24 79 24 3A 74 72
082432405664
$ y $ : o o
48
6F
Mask/Igno e LeakKnown Page O se
6F
20 12
12
0x003A746F6000
0x013A746F6000
0x023A746F6000
0x233A746F6000
0x253A746F6000
0x7F3A746F6000
0x243A746F6000
0x243A74600000
0x243A746FF000
Use Vi ual Add ess Space
16
Leaking Fo wa d
Leaking Backwa d
Figu e 10: Le : sec e leakage using o wa d ( op) and backwa d (bo om) sliding. Vulne able ha dwa e canonicalizes he
g ey bi s, and ansla ion igno es he g een bi s. Wi h he blue bi s known, SLAM leaks he emaining pu ple bi s. Righ :
jus -in- ime eload bu e o o wa d leakage (noncon iguous, in o ange) and backwa d leakage (con iguous, in yellow).
6.3. Summa y
We conside ed di e en mechanisms o canonicalize 64-
bi sec e poin e s o ou TLB E ic +Reload co e channel.
On bo h In el and AMD pla o ms, we success ully ound
canonicaliza ion s a egies o ou pu poses.
C2 Solu ion. SLAM can ely on LAM / UAI ea u es o
canonicalize noncanonical use poin e s. Simila p imi-
i es exis on AMD sys ems ulne able o TENA. These
p imi i es expand he leakage su ace o ou 1-bi poin e
disclosu e p imi i e o noncanonical use add esses.
7. Leaking Sec e s
To add ess C3 , we need o gene alize ou 1-bi non-
canonical use poin e disclosu e p imi i e o one able o
ac ually leak sec e s. In o he wo ds, we need o u n ou
1-bi TLB co e channel—able o es o he p esence o a
p ede e mined sec e —in o a gene ic N-bi co e channel—
able o disclose a bi a y (ASCII) 64-bi sec e s. A simple
1-bi co e channel is clea ly imp ac ical o he ask (as we
would need o es all he possible sec e alues o leak), bu
so is a high-en opy one (as we may lack mic oa chi ec u al
s a e o encode he possible alues all a once).
To add ess his challenge, we i s obse e ha he ech-
niques in oduced in he p e ious sec ions al eady p o ide
signi ican en opy educ ion o ou 64-bi sec e poin e s.
Speci ically, sec e canonicaliza ion elimina es en opy in
he uppe bi s, and ou TLB 4 KB page-g anula co e
channel elimina es en opy in he lowe 12 bi s. As also
shown in Figu e 7, his s ill lea es us wi h 36 bi s o en opy
(on 4-le el paging sys ems). Howe e , since we leak ASCII
da a—e e y by e’s op bi is ze o— he en opy is u he
educed o 31 bi s. Such esidual en opy leads o a eload
bu e o 8 TB, a exceeding he size o mode n TLBs, as
well as being p ac ically unmanageable o an a acke . We
ackle hese wo issues in o de nex .
7.1. Reducing En opy wi h Sliding
To ensu e he eloaded pages i he size o mode n
TLBs, we wan o educe he en opy o he sec e o ha
o a single by e pe gadge i e a ion. To his end, we slide
he poin e e e encing sec e da a by e-by-by e ac oss i e -
a ions, causing he sec e e ie ed by he cu en i e a ion
o con ain only known by es om he p e ious i e a ions
excep one (new and unknown) by e. Figu e 10 ( op-le )
exempli ies an i e a ion o such by e-by-by e leakage s a -
egy on 4-le el paging sys ems, wi h bi s 39:12 (blue) known
and bi s 47:40 (pu ple) o be leaked. Since bi 47 is always
ze o due o ASCII, he en opy pe i e a ion is educed o
7 bi s. Hence, we need a eload bu e o only 128 pages.
Simila o p io sliding echniques [4], [13], [14], [45], we
also need a way o kick s a he s a egy o he i s i e a ion
wi h some da a known a p io i. While one can in p inciple
exploi memo y massaging o coloca e a bi a y sec e s wi h
known da a [45], ASCII s ings ypically al eady con ain
known da a in-band. This is indeed he case o ou a ge
/e c/shadow ile, which consis en ly in e lea es known
(use name) wi h sec e (passwo d) da a.
7.2. Jus -in- ime Reload Bu e Remapping
Al hough we ha e educed he numbe o eloaded pages
pe i e a ion, he o al possible ange is s ill 8 TB sca e ed
ac oss i ual add ess space. Wi h demand paging, one could
map a single “spa se” eload bu e spanning he en i e use
add ess space o his pu pose. Howe e , his simple s a egy
incu s many (i.e., up o 128) cos ly page aul s pe i e a ion
and unbounded memo y consump ion (o cos ly cleanups).
To add ess hese issues, we ins ead mmap only he ange
su icien o co e all 128 pages o he i s -i e a ion and
each ime m emap he eload bu e jus -in- ime o co e
he 128 pages needed by each subsequen i e a ion. Ini ially,
his esul s in a noncon iguous eload bu e , as illus a ed
in o ange in Figu e 10 ( igh ) o ou example poin e : he
a acke al eady knows “oo :”, and maps he 128 o ange
pages co esponding o he nex 7 unknown bi s jus -in-
ime. E ic ing he TLB, igge ing he unmasked Spec e
gadge , and eloading all 128 o ange pages will e eal an
L1 TLB hi a 0x243a746 6000, leaking he by e “$”. Now,
wi h knowledge o he 4 by es “o :$”, he a acke can epea
he p ocess and leak he nex by e. None heless, since his
in ui i e s yle o o wa d leaking equi es a spa se (and
hence cos ly- o- emap) eload bu e , SLAM slides (and
leaks) backwa d ( owa ds lowe add esses) by de aul , as
also shown in Figu e 10 (bo om-le ). This s a egy yields
a compac , ully paged eload bu e (yellow in igu e) we
can e icien ly m emap a e e y i e a ion using a single
sys em call. Ca e should be aken no o emap in o ou
own code/da a, bu his can be easily accomplished by a
linke sc ip placing exploi code/da a in a ange o he use
add ess space encoding a leas one non-ASCII cha ac e . In
p ac ice, building a non-PIE bina y is su icien on Linux.
7.3. Summa y
We ha e shown ha , while masked Spec e gadge s
no mally p oduce 64-bi (noncanonical) sec e s, we can en-
hance ou TLB E ic +Reload co e channel wi h en opy-
educing echniques o leak such high-en opy sec e s by e-
by-by e, simila o classic masked Spec e gadge s.
C3 Solu ion. SLAM elies on backwa d sliding and jus -
in- ime emapping o leak high-en opy sec e poin e s
by e-by-by e wi h a mo able, 128-page eload bu e . We
need Nby es o known da a o N-le el paging. This
s a egy gene alizes ou 1-bi noncanonical use poin e
disclosu e p imi i e o a bi a y ASCII s ing disclosu e.
8. End- o-End Co e Channel
A med wi h ou ASCII s ing disclosu e p imi i e, we
can now build an end- o-end SLAM co e channel in
p epa a ion o ou end- o-end exploi . This is o demon-
s a e a ke nel- esiden sende can eliably ansmi da a o
a use land ecei e . Fo his pu pose, we need a p o ocol
be ween sende and ecei e , a way o e ic (only) L1 TLB
and L1 cache, and a way o handle noise. We will la e euse
some o hese building blocks o ou end- o-end exploi .
8.1. P o ocol
We use a simple p o ocol wi h he sende ansmi ing
ASCII cha ac e s by ansien ly execu ing an unmasked
gadge such as he one in Figu e 1 and he ecei e e ie ing
hem ia TLB E ic +Reload. To ansmi one cha ac e a he
ime, he sende slides backwa d and he ecei e emaps a
128-page eload bu e jus -in- ime. Fo synch oniza ion, we
simply allow he ecei e o send a eady o nex i e a ion
signal ia a p ede e mined syscall. Fo e o co ec ion, we
use he inhe en edundancy in ou TLB signal, wi h only 7
ou 31 bi s used o da a—i.e., we equi e he emaining bi s
o ma ch he known signa u e. Upon misma ch (e o ), he
ecei e eques s a e ansmission. We conside h ee co e
channel (4-le el paging) a ian s: (i) AMD TENA (na i ely
bypassing canonicali y checks on ulne able mic oa chi ec-
u es); (ii) In el LAM (simula ed by sign-ex ending bi 47 o
he sec e poin e o bi s 62:48, as desc ibed in he ISA [21]);
(iii) AMD UAI (expanding LAM’s sign ex ension o bi 63).
8.2. E ic ions
Ou signal elies on he small la ency di e ence o L1
s. L2 TLB hi s, which we measu e wi h he imes amp
coun e and a coun ing h ead [32], [46], [47] on In el and
AMD ( espec i ely). As explained in Sec ion 5.3, o eliably
measu e such di e ence we need o e ic L1 TLB and L1
cache, while p ese ing hei L2 coun e pa s, be o e he
ansmission occu s. To his end, we use a single i ually
and physically con iguous e ic ion bu e , as accessing i -
ually (physically) consecu i e pages pu s minimal p essu e
on he L2 TLB (cache). Meanwhile, by ca e ully choosing a
wha page o se s we access he e ic ion pages, we use he
same memo y accesses o simul aneously e ic he L1 TLB
and he i s L1 cache se (used o eloading). We alloca e
ou e ic ion bu e by mapping a 2 MB huge page and hen
spli ing i in o consecu i e 4 KB pages wi h mp o ec .
8.3. Noise
We use s anda d echniques o deal wi h noise such as
poin e chasing o implemen e ic ions [35] and epe i ions
o sample he signal. In de ails, we epea e e y single
gadge i e a ion 2∗128 ∗R imes. The 2 ac o ensu es a
i s gadge epe i ion specula i ely loads he sec e poin e
in he L1 cache, so a subsequen epe i ion can access i
quickly no ma e how sho he specula ion window. The
128 ac o is o dis ibu e he eload s ep ac oss 128 gadge
epe i ions (one pe eload en y), a simple way o comba
noise om he TLB p e e che . Finally, Ris he numbe o
mic oa chi ec u e-speci ic epe i ions (o simply epe i ions
he ea e ) o une he accu acy-pe o mance ade-o .
8.4. Co e Channel E alua ion
To e alua e ou h ee end- o-end co e channel a ian s,
we se up he ollowing expe imen . The sende gene a es
64 KB o andom ASCII da a and appends i wi h a p e-
de e mined magic alue known o he ecei e . The sende
( ecei e ) ansmi s ( ecei es) he da a backwa d, s a ing
om he magic alue. To comba noise, we use R= 4
epe i ions on In el and R= 32 epe i ions on AMD. We
Appendix A.
Me a-Re iew
The ollowing me a- e iew was p epa ed by he p og am
commi ee o he 2024 IEEE Symposium on Secu i y and
P i acy (S&P) as pa o he e iew p ocess as de ailed in
he call o pape s.
A.1. Summa y
This pape deals wi h Spec e-like ulne abili ies. Mo e
speci ically, he au ho s p esen a new ( amily o ) a ack(s),
dubbed SLAM, which akes ad an age o a new, upcoming
ea u e in In el and AMD CPUs, called LAM/UAI (linea
add ess masking/uppe add ess igno e), in o de o u n un-
masked Spec e gadge s in o exploi able memo y disclosu e
p imi i es. Unmasked Spec e gadge s ypically esul in
non-canonical add ess ansla ion, and hey a e cu en ly
conside ed a non-issue – om a secu i y/exploi a ion pe -
spec i e. The pape discusses how LAM/UAI, which is
basically he equi alen o ARM’s TBI ( op-by e igno e)
on In el/AMD CPUs, can e ec i ely ac as a “mask” du ing
poin e de e e encing, he eby acili a ing he exploi a ion
o unmasked Spec e disclose gadge s. LAM/UAI canoni-
calizes poin e s and igno es p i ilege le el checks – e.g.,
SMAP. Building on his obse a ion, he pape u he dis-
cusses ways o (ab)using (a) page- able ansla ions and (b)
he TLB o cons uc ing a low-noise, low-la ency co e
channel o disclosing sec e in o ma ion. Las ly, he au ho s
p oceed wi h in oducing wo no el echniques, namely
sliding and jus -in- ime eload bu e emapping, o acili a e
he end- o-end exploi a ion o unmasked gadge s. The pape
demons a es SLAM by b eaking KASLR and leaking he
oo passwo d om ke nel memo y.
A.2. Scien i ic Con ibu ions
•C ea es a New Tool o Enable Fu u e Science
•Iden i ies an Impac ul Vulne abili y
•P o ides a Valuable S ep Fo wa d in an Es ablished
Field
•Es ablishes a New Resea ch Di ec ion
A.3. Reasons o Accep ance
1) The esul (s) p esen ed in his pape a e bo h im-
po an and imely, as he exploi a ion o unmasked
Spec e gadge s is cu en ly conside ed a non-issue,
and such gadge s a e mos ly igno ed om analysis
ools, ha dening amewo ks, e c.
2) The secu i y analysis o LAM/UAI is no el and
insigh ul, while he echniques o canonicaliz-
ing add esses using LAM/UAI and cons uc ing
a disclosu e p imi i e by abusing MMU elemen s
a e ad ancing ou cu en knowledge e: Spec e
a acks and imp o e he s a e-o - he-a in e ms o
low-noise, low-la ency co e channel cons uc ion.
A.4. No ewo hy Conce ns
LAM/UAI was emula ed in so wa e and hence he end-
o-end e ec i eness expe imen (s) pe o med used ha so -
wa e analogue. Ne e heless, In el, AMD, and ARM ha e
acknowledged ha he issue is eal.